Holiday Cyber Attacks: How to Outsmart the Bots
By Alexa Bleecker, Director of Cybersecurity Content, Kasada
Alexa Bleecker is the Director of Cybersecurity Content at Kasada where she curates, and promotes cybersecurity resources on how to stop malicious automated attacks. Previously, she worked in marketing roles at QRadar and IBM Security. Before that, Alexa led marketing at security startups: RangeForce, Transmit Security, and Trusteer. Alexa also mentors young women as part of Women in Cybersecurity (WiCyS). She has a Bachelor of Science in Business from Questrom School of Business and a Masters in Cybersecurity Policy and Governance from Boston College.
With the supply chain shortages and an uncertain economic climate, many retailers are expecting a slower holiday shopping season. But even if overall eCommerce sales trend down, that doesn't mean that cybercriminals will be taking a break. In fact, you can be sure that bad actors are preparing to launch many of the eCommerce cyber-attacks we've seen this year with extra amplification between Black Friday and Cyber Monday that will continue throughout the season.
Why? The answer is simple. Cybercriminals are motivated by money, and the holidays present ample opportunities to profit—from scalping to scraping, to selling card cracking codes to committing account fraud. With automated tools and techniques to scale their efforts, threat actors are setting themselves up to prosper.
You’d Better Watch Out for These Holiday Threats
The holiday season is upon us. And with it comes all the joys (and stresses) of buying presents for our loved ones. For many of us, that means braving the crowds – or competing with the bots to purchase gifts online. These bots are dubbed as Grinch bots because they scoop up in-demand items before legitimate customers can.
Gift Card Fraud
One of the most popular targets for fraudsters during the holiday season is gift cards. And it's easy to see why - they're easy to buy and sell online, and they can be used anywhere that accepts them. Gift cards are also a form of anonymous currency, which helps fraudsters conceal their identity in the underground marketplace.
While loyalty programs can offer a great way to save money, they can also be a goldmine for cybercriminals. That's because many of them are easy to exploit, and the points can be sold for cash.
With many retailers offering deep discounts on popular items, it's no wonder Black Friday/Cyber Monday are magnet days for bargain hunters. But while customers are busy scouring your website for deals, fraudsters will be hard at work too. Freebie bots take advantage of these extreme discounts by continuously scanning products to see if any have been mistakenly published for $0 or discounted by 50-90%.
All-in-One Fraud Tools
Another tactic rising in popularity for cybercriminals during the holiday season is using solver services. These services help adversaries easily bypass security detection systems like CAPTCHA systems that are designed to stop them from automated attacks. Based on our research, the use of solver services has increased by 750% in the past year.
Cybercriminals are motivated by money, and the holidays present ample opportunities to profit—from scalping to scraping, to selling card cracking codes to committing account fraud.
Preparing for Holiday Bots
As the holiday shopping season kicks into gear, the goal is to stop bots without disrupting the buyer experience. Keeping bots off your site won’t matter if your human customers leave too. Here are four essential steps, tips and questions to ask to help prevent bot attacks on your website, mobile apps, and APIs.
Step 1. Identify and understand the unique bot threats and risks to your business
What types of goods or services do you sell that might be especially in demand right now? Find out what bot threats your site can detect with an instant test. Assess the various OWASP automated threats that may impact your applications.
Step 2. Remove fake users and bad bots to uncover insights into your web traffic
At peak times, your bot traffic can be 10X your usual traffic, which skews metrics and results in an unfavorable experience for customers. Clean up your bot traffic to deeply understand consumer behavior while saving on infrastructure costs.
Step 3. Prioritize your customer experience, conversion rates, and revenue generation
Use technology to help ensure your products can be purchased by legitimate customers, not fraudsters looking to make a profit. Invest in security solutions that don’t add additional layers of friction for your users.
Step 4. Continue to expect the unexpected
Make your anti-bot vendor list, and check it twice. The standard holiday preparedness practices don’t really matter if bots are exploiting your website, apps, and/or APIs. The real eCommerce holiday readiness is to expect the unexpected and become agile enough to change at a moment’s notice.
All in all, the holiday season is a busy time for everyone - including threat actors. So, it's important to be aware of the dangers and take steps to protect your organization. From gift card fraud to loyalty abuse, and solver services for CAPTCHA services and more, keep these tips in mind and you'll be sure to have a safe and happy holiday season.